a little optimized G1::split

include/mcl/bn.hpp

@@ -654,15 +654,16 @@ struct GLV1 : mcl::GLV1T<G1, Fr> {
 		}
 		return false;
 	}
-	static void initForBN(const mpz_class& z, bool isBLS12 = false, int curveType = -1)
+	static void init(const mpz_class& z, bool isBLS12, int curveType)
 	{
+		optimizedSplit = 0;
 		if (usePrecomputedTable(curveType)) return;
 		bool b = Fp::squareRoot(rw, -3);
 		assert(b);
 		(void)b;
 		rw = -(rw + 1) / 2;
 		rBitSize = Fr::getOp().bitSize;
-		rBitSize = (rBitSize + UnitBitSize - 1) & ~(UnitBitSize - 1);// a little better size
+//		rBitSize = (rBitSize + UnitBitSize - 1) & ~(UnitBitSize - 1);// a little better size
 		if (isBLS12) {
 			/*
 				BLS12
@@ -690,6 +691,42 @@ struct GLV1 : mcl::GLV1T<G1, Fr> {
 		const mpz_class& r = Fr::getOp().mp;
 		v0 = ((-B[1][1]) << rBitSize) / r;
 		v1 = ((B[1][0]) << rBitSize) / r;
+		if (curveType == BLS12_381.curveType) {
+			optimizedSplit = optimizedSplitForBLS12_381;
+			v0 = -v0;
+			B[0][0] = -B[0][0];
+		}
+	}
+	// x = (a + b L) mod r
+	static inline void optimizedSplitForBLS12_381(mpz_class u[2], const mpz_class& x)
+	{
+		/*
+			z = -0xd201000000010000
+			L = z^2-1 = 0xac45a4010001a40200000000ffffffff
+			r = L^2+L+1 = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+			s=255
+			v = 0xbe35f678f00fd56eb1fb72917b67f718
+		*/
+		mpz_class& a = u[0];
+		mpz_class& b = u[1];
+#if MCL_SIZEOF_UNIT == 8
+		static const uint64_t Lv[] = { 0x00000000ffffffff, 0xac45a4010001a402 };
+		static const uint64_t vv[] = { 0xb1fb72917b67f718, 0xbe35f678f00fd56e };
+		static const size_t n = 128 / mcl::UnitBitSize;
+		Unit t[n*3];
+		mcl::bint::mulNM(t, x.getUnit(), n*2, (const Unit*)vv, n);
+		mcl::bint::shrT<n+1>(t, t+n*2-1, mcl::UnitBitSize-1); // >>255
+		bool dummy;
+		b.setArray(&dummy, t, n);
+		mcl::bint::mulT<n>(t, t, (const Unit*)Lv);
+		mcl::bint::subT<n>(t, x.getUnit(), t);
+		a.setArray(&dummy, t, n);
+		(void)dummy;
+#else
+		mpz_class t;
+		b = (x * v0) >> 255;
+		a = x - b * B[0][0];
+#endif
 	}
 };
 
@@ -942,7 +979,7 @@ struct Param {
 		} else {
 			mapTo.init(2 * p - r, z, cp.curveType);
 		}
-		GLV1::initForBN(z, isBLS12, cp.curveType);
+		GLV1::init(z, isBLS12, cp.curveType);
 		GLV2T<Fr>::init(z, isBLS12);
 		basePoint.clear();
 		G1::setOrder(r);

include/mcl/ec.hpp

@@ -2154,6 +2154,7 @@ struct GLV1T {
 	static size_t rBitSize;
 	static mpz_class v0, v1;
 	static mpz_class B[2][2];
+	static void (*optimizedSplit)(mpz_class u[2], const mpz_class& x);
 public:
 #ifndef CYBOZU_DONT_USE_STRING
 	static void dump(const mpz_class& x)
@@ -2184,6 +2185,10 @@ struct GLV1T {
 	static void split(mpz_class u[2], mpz_class& x)
 	{
 		Fr::getOp().modp.modp(x, x);
+		if (optimizedSplit) {
+			optimizedSplit(u, x);
+			return;
+		}
 		mpz_class& a = u[0];
 		mpz_class& b = u[1];
 		mpz_class t;
@@ -2193,7 +2198,7 @@ struct GLV1T {
 		b = - (t * B[0][1] + b * B[1][1]);
 	}
 	/*
-		initForBN() is defined in bn.hpp
+		init() is defined in bn.hpp
 	*/
 	static void initForSecp256k1()
 	{
@@ -2213,6 +2218,7 @@ struct GLV1T {
 		const mpz_class& r = Fr::getOp().mp;
 		v0 = ((B[1][1]) << rBitSize) / r;
 		v1 = ((-B[0][1]) << rBitSize) / r;
+		optimizedSplit = 0;
 	}
 };
 
@@ -2222,6 +2228,7 @@ template<class Ec, class Fr> size_t GLV1T<Ec, Fr>::rBitSize;
 template<class Ec, class Fr> mpz_class GLV1T<Ec, Fr>::v0;
 template<class Ec, class Fr> mpz_class GLV1T<Ec, Fr>::v1;
 template<class Ec, class Fr> mpz_class GLV1T<Ec, Fr>::B[2][2];
+template<class Ec, class Fr> void (*GLV1T<Ec, Fr>::optimizedSplit)(mpz_class u[2], const mpz_class& x);
 
 /*
 	Ec : elliptic curve